Matt wrote: > Hmmm.... this is quite an interesting thought for me. It would be very > useful for an applet to function as a "kinit" to a number of realms, > which would then store a TGT within my Win2k/Apple/Linux local cache, > such that my local applications and utilities can connect to Kerberized > resources (file shares, spnego-web, etc) Of course, the need for > multiple OS's means this would need to be a standard part of the JVM (or > separate OS aware Java packages). > > Does such a beast exist? > > -Matt
There are two fundamental problems with using the Java Kerberos implementation as the kinit application. First, the Java Kerberos implementation only supports the single DES enctyps. This is not desireable given that every other distribution of Kerberos by now supports DES3 and RC4 and some even support AES. The second problem is that the Java Kerberos implementation only knows how to support file based credential caches files. On Windows and MacOS X, file ccaches are not used. Instead, the CCAPI interface is used for access to the MIT ccache which is stored in memory. In addition, on Windows the Microsoft ccache is stored as part of the Logon Session services. I have suggested in the past to Sun's Java Security team that they re-implement the Java Kerberos to use JNI to support whatever Kerberos implementation is provided by the base operating system. They should only use their own implementation when an operating system specific Kerberos is not available for use. This would allow for true single sign-on and transparency for all of the major operating systems while still providing a light-weight Kerberos implementation for smaller devices running Java which do not have OS support for Kerberos. If you support this idea, please file a request with Sun. Jeffrey Altman ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
